# See https://goteleport.com/docs/config-reference/ and
# https://goteleport.com/docs/database-access/guides/postgres-self-hosted/
#
# This establishes a reverse proxy back to the central auth server,
# allowing that to connect to the postgres server running on
# localhost:5432.  Auth is checked using role-based access control,
# which determines which hosts, databases, and database users the
# remote user is allowed to connect to.
teleport:
  ca_pin: "sha256:df15ba56d56227e288ce183d7eee77a6bef552aaaa5dc25f0f5ea56494ce14c6"
  auth_servers:
    # Use the proxy address, to support running the db_service, which requires
    # a reverse tunnel.
    - teleport.zulipchat.net:443
<% if @is_ec2 -%>
  join_params:
    method: iam
    token_name: iam-token
<% else -%>
  join_params:
    method: token
    token_name: <%= @join_token %>
<% end %>

ssh_service:
  enabled: no
app_service:
  enabled: no
proxy_service:
  enabled: no
auth_service:
  enabled: no

db_service:
  enabled: yes
  databases:
    - name: "<%= @hostname %>"
      protocol: "postgres"
      uri: "<%= @fqdn %>:5432"
      ca_cert_file: /etc/ssl/certs/teleport-ca.crt
      static_labels:
        hostname: "<%= @hostname %>"
      dynamic_labels:
        # Every hour, refresh the label that describes if this
        # instance is a replica; this allows access to be granted only
        # to replicas.
        - name: "is_replica"
          command:
            ["sudo", "-u", "zulip", "psql", "-tc", "select pg_is_in_recovery()"]
          period: 1h
